A new email phishing campaign that targets different market segments in East Asia is disseminating FluHorse, an Android malware strain that previously went unreported and abuses the Flutter software development environment.
According to a technical study from Check Point, “the FluHorse malware features several fake Android applications that mimic legitimate applications, the majority of which have more than 1,000,000 installs.” The victims’ login information and two-factor authentication (2FA) codes are stolen by these malicious apps.
New Android FluHorse Malware Is Wreaking Havoc
It has been discovered that the malicious apps resemble well-known programs like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. The action has apparently been ongoing since at least May 2022, according to the evidence obtained so far.
The phishing scam itself is very simple, with victims being enticed by emails that contain links to a fictitious website that holds infected APK files. Checks have also been introduced to the website to screen victims and provide the program only if their browser User-Agent string matches that of Android.
When the FluHorse malware is installed, it seeks SMS permissions and prompts the user to enter their passwords and credit card information, which is then exfiltrated to a remote server in the shadows while the victim is made to wait for several minutes. Threat actors also utilize their SMS message access to intercept and reroute all incoming 2FA codes to the command-and-control server.
According to the Israeli cybersecurity company, it has also discovered a dating app that sends Chinese-speaking users to fraudulent landing pages intended to steal credit card information.
With new infrastructure and fraudulent applications appearing every month, it is reported that a number of high-profile organizations, including personnel of the government sector and significant industrial corporations, are among the receivers of these phishing emails.
